Friday, August 20, 2010

A slight divergence from the technical for a moment, everyone should go check out a cool new line of custom lock-picking tools that will be coming out shortly. Pre-Order yours by providing a donation to get the business started. I proudly donated a very large sum to this cause today and setup onsite training as well for a group of my friends with the creator of these lock-picks....

Generally I like to stay 100% technical posts but this guy was really cool, extremely excited about what he does and thats what I like to see!!! Motivated people with passion about their interests... I am always about supporting individuals like this... So check them out and get yourself a nice set of custom lock-pick tools...

And if youre in the cleveland area and interested in lockpicking, send me a message and i will let you know about lockpicking meet ups.

Tuesday, August 17, 2010

There is a new tool for anti virus bypass which allows an attacker to inject shellcode into a process Post exploitation. Enabling the attacker to pass a shell to a remote location, generally i assume this would be a meterpreter shell for obvious reasons. Those of us who penetration test for a living are aware of the need to sometimes have a shell after obtaining gui system access. Buuuut Antivirus can be a real pain in the ass sometimes.

A few people came to me today saying they tried this new technique and it looked awesome but was not functioning correctly, below is a description of why it was not working for them and how to fix it.. here is a link for the program as reference.

https://sites.google.com/site/mamit30/home/injector

Videos are cool and all but as we know they tend to leave things out, in this case they left out the proper way to create shellcode. They also left out how to create the file to inject into the process, so below is a walkthrough without missing any details of how to get a shell by injecting into a process with injector... Honestly, I wish people who developed tools would not leave out details in their videos. I also wish they would learn to talk and explain things as they create the video rather then having a distracting song..

Mainly I believe the issues people were having are of bad character sets within their shellcode. (Although I did not verify this in a debugger, the crash behavior leans towards this assumption)

When you inject a payload into a process if any characters are bad such as a Null characters the process will automatically terminate or create undesired results, it doesn't always have to be null and all processes and programs are created differently depending what they are looking for.Encoding is a good way to solve these issues. So lets get to it!!

Original Video: http://vimeo.com/14139105

Issues people had:

-Injecting into Explorer.exe crashes the process... (explorer being a good process because it re-spawns)

Resolution:

-Alpha upper encoding
-using the py file to create raw code

So basically the problem people were having is that there are bad characters in their shellcode that were crashing the process, following is a step by step on how to use the antivirus bypass technique that the video does not show clearly and in its entirety....

4. Check your process list for Explorer.exe then ship off your payload into the process, this payload is now encoded to remove all bad characters and with your multi/handler running you should receive a shell no problem.

I hope that clears a few things up for anyone who was asking me how to utilize this tool on a pentest, this is an excellent technique and very neat but explanation of proper payloads and examples were lacking, I would have much preferred a written write up with more detail for reference so that is what i am providing..

Final Note:

Also one final note, you will notice i used the "explorer.exe" process, the reason I used explorer.exe because if I blow it up, it will respawn itself. Also a good technique when migrating processes in Meterpreter, if explorer.exe Fubars, you can just kill the process and it will respawn. I have used this technique on processes running as a domain administrator to get full domain access. However when I blew up the process I lost access but was able to just respawn it and regain my foothold when no hashes or tokens were available.